Updated: Apr 15, 2021
With attacks up 41% in 2019 and costs forecasted to reach $20 billion by 2021, ransomware is now considered by many to be the top malware threat and challenge for enterprises, governments, and individuals worldwide. Multiple attack vectors such as Phishing emails, infected websites and malvertising, fake apps, and infected storage devices make it virtually impossible for organizations to keep ransomware out of their networks using traditional endpoint, gateway, and network security solutions.
Prismo provides a comprehensive solution to protect against malware and ransomware – from initial access to lateral propagation to execution and impact for attacks emanating from users and servers.
Prismo blocks initial access on the server-side:
Prismo deploys ‘active sensors’ on the servers. These sensors discover the authorized installation accounts in production, test, development and even lab environments. The sensors also track the provenance of every file that is written or installed on the
server. A package, executable or script that does not have the provenance of Enterprise authorized installation accounts is prevented from executing by our active sensor. This powerful capability blocks DoS attacks like ransomware right at install time
and is not subject to evasion from ransomware morphing its behavior.
Prismo detects and contains lateral propagation :
The initial entry point for ransomware might be through a link in a phishing email
that an enterprise employee using a BYOD device clicks. Initial access could also be
through a 3rd party such as a contractor. Employees compromised by the initial
access might not have privileges to access critical systems, but ransomware is
designed to propagate laterally across the network to more important privileged
users and systems. Prismo network sensors detect horizontal movement from user to-
user, as well as the various MITRE Tactics and Techniques associated with
Credential Access, Exploration, Privilege Escalation, Persistence, Evasion, and CnC
communication. When any atomic event triggers, Prismo immediately notifies the
SOC and dynamically pushes preventive policies to its active sensors on critical file
shares so that compromised user devices cannot access them until they have been
Prismo detects and blocks the execution and impact :
In rare cases, the initial access for ransomware might be to a privileged user who has
access to critical systems. Prismo uses a combination of Deception and Machine
Learning (ML) to detect and block the encryption of files.
I. Deception: Unbeknownst to users and malware, Prismo sprinkles honey files in
directories and file servers. While these honey files resemble normal files, these
files are never accessed by users. Prismo detects the unauthorized access of these
files and their encryption immediately notifies the SOC and dynamically pushes
preventive policies to its active sensors on critical file shares so that compromised
user devices cannot access them until they have been remediated.
II. Machine Learning: Prismo builds a model of the file access behavior displayed by
ransomware families to detect them. Some of the features used in the model
include rate of files read and written in a short period of time, rate of files deleted
in a short period of time, iteration over multiple directories in a short time period,
rate of different file types accessed and delta-time between file writes of two
Simplified security stack
75% reduction in spend
For more information or to schedule a
demo, please contact us at: